This project documents a simple SOC detection exercise in which network scanning activity was generated with Nmap and reviewed through Wazuh. The goal was to better understand how attacker behavior can appear in a monitored environment and how defensive tools can help identify suspicious activity.
- Generate scan activity with Nmap
- Observe whether the activity appeared in Wazuh
- Practice connecting offensive actions to defensive visibility
- Document the workflow as part of a hands-on SOC lab
- Nmap
- Wazuh
- Kali Linux
- Ubuntu/Linux lab systems
- Homelab network environment
- Prepared the lab systems and confirmed connectivity.
- Generated scan activity using Nmap from the attacker system.
- Reviewed logs and alerts in Wazuh.
- Compared scan behavior with what was visible from the defender side.
- Documented screenshots and results.
This project helped me understand that detection work is not just about running tools, but about interpreting what activity looks like from both the attacker and defender perspective. It also reinforced the relationship between network scanning, log visibility, and alerting.
The Kali virtual machine used to simulate attacker activity in the lab.
Nmap identified the target host as active and detected an open SSH service on port 22.
An SSH login attempt was made from the Kali system to the Ubuntu target. The login attempt failed, but it generated authentication-related activity for review.
The Wazuh dashboard displayed collected security events from the monitored endpoint.
Wazuh reflected multiple authentication-related events associated with the SSH attempt.
This project is part of a broader SOC monitoring lab.
For the full Wazuh lab setup and environment documentation, see the related repository: